Software Composition Analysis

Integrate Software Composition Analysis (SCA) tools like Semgrep and Snyk to enrich runtime vulnerability findings with source code context, enabling faster and more accurate remediation.

Introduction

Sysdig’s Software Composition Analysis (SCA) integrations connect findings from your SCA tools with runtime vulnerability data discovered by Sysdig Secure. This integration enriches runtime package vulnerabilities with crucial source code context, directly addressing the core value proposition: SCA + Runtime Context = Enhanced Risk Understanding & Remediation.

By linking a runtime vulnerability back to its origin in the source code, teams can significantly accelerate triage, pinpoint ownership, and apply the correct fix efficiently.

Benefits and Use Cases

Combining SCA insights with Sysdig’s runtime data provides a clearer, more actionable path to reducing risk observed in your production environments.

Faster Root Cause Analysis (The “WHERE”)

Link runtime vulnerabilities back to the source context to immediately understand their origin.

  • For Security Teams: When investigating a runtime vulnerability, you can instantly see the associated source code repository and the specific dependency file (e.g., package.json, pom.xml) where the vulnerable package was declared. This provides a clear line of sight from runtime risk back to the codebase.
  • For Developers and Engineers: When tasked with fixing a vulnerability, the source repository and file path are readily available. This eliminates guesswork and allows you to rapidly locate the specific code requiring modification.

Better Fix Recommendations (The “HOW”)

Provide actionable remediation guidance directly from SCA data.

  • For Developers and Engineers: Sysdig displays the specific, recommended safe version(s) to upgrade a vulnerable package to. This ensures you can efficiently apply the correct fix without spending time researching solutions. Links to relevant patch information or remediation advice are also provided for clear, actionable steps.
  • For Security Teams: When assessing a runtime vulnerability, seeing the recommended fix version helps security teams understand the remediation path and effort required, facilitating better communication and planning with development teams.

Process Overview

The integration works by correlating runtime findings with data ingested from your configured SCA tool. This correlation is made possible by a specific label on your container images.

  1. Configure the Integration: An administrator connects Sysdig Secure to your SCA provider (Semgrep or Snyk).
  2. Label Your Images: During your CI/CD build process, you must add the org.opencontainers.image.source label to your container images. This label tells Sysdig which source repository the image was built from.
  3. View Enriched Findings: Sysdig scans your running images. When a vulnerability is found in a package, Sysdig uses the image label to query the connected SCA tool for context about that package in the corresponding source repository. The runtime finding is then automatically enriched with details like the recommended fix version and the dependency file path.

Prerequisite: Linking Source to Runtime

To enable the correlation between runtime assets and source code, you must add a Docker label to your images at build time. This allows Sysdig to identify the source repository associated with a running container.

To correlate, the org.opencontainers.image.source label is required.

Docker labels can be added in two ways:

  • In source code, by adding a LABEL statement to your Dockerfile.
  • In your build pipeline, using the --label parameter of the docker build command.

Example:

You can add the required label either directly in your Dockerfile or during the build process.

Add the LABEL instruction to your Dockerfile.

FROM nginx:latest

LABEL org.opencontainers.image.source="https://github.com/${{ github.repository }}"

Set up an SCA Integration

  1. Log in to Sysdig Secure as an administrator and select Integrations > Software Composition Analysis.
    • If no integration has been added, the page is empty.
    • If integrations already exist, a list is displayed showing the Integration Name, Type (Semgrep, Snyk), and Status.
  2. Click Add SCA Integration.
  3. Select the relevant integration type from the drop-down and complete the configuration.
Aikido logo
Aikido

Ingest vulnerability and compliance data from Aikido to enrich image and runtime findings.

Arnica logo
Arnica

Connect Arnica to import risk and code security insights into Sysdig Secure.

Checkmarx logo
Checkmarx

Sync Checkmarx SAST and SCA results to correlate source vulnerabilities with runtime data.

GitHub Advanced Security logo
GitHub Advanced Security

Integrate with GitHub Advanced Security to enrich vulnerabilities with repository context.

GitLab logo
GitLab

Connect GitLab projects to correlate dependency and code insights with Sysdig findings.

Mend logo
Mend

Pull SCA results from Mend to provide enriched visibility into open-source vulnerabilities.

Semgrep logo
Semgrep

Integrate Semgrep scan data to surface code-level context within vulnerability findings.

Snyk logo
Snyk

Connect Snyk for automatic enrichment of image and runtime vulnerabilities with fix guidance.

Aikido

Create Client Credentials in Aikido

  1. From your Aikido settings, navigate to the Aikido public REST API integration page.
  2. Click the Add Client button to create a new integration.
  3. Give your integration a descriptive name and select Private App for the Type.
  4. Select the following permissions:
    • issues:read
    • clouds:read
    • repositories:read
    • containers:read
    • basics:read
  5. After generating the credentials, copy the Client ID and Client Secret and store them in a safe place.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Aikido.
  2. Enter a unique Integration Name to identify this connection.
  3. Enter the Client ID and Client Secret you created in Aikido.
  4. Click Test Connection to validate the credentials.
  5. Upon a successful test, click Add Integration.

Arnica

Create an API Key in Arnica

  1. From your Arnica Console, navigate to the API page via the sidebar menu.
  2. Click the Create API key button.
  3. Give the API key a descriptive name.
  4. Select the risks:read permission.
  5. After the key is created, copy the value and store it in a safe place.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Arnica.
  2. Enter a unique Integration Name to identify this connection.
  3. Enter the Access Token (API Key) you created in Arnica.
  4. Click Test Connection to validate the credentials.
  5. Upon a successful test, click Add Integration.

Checkmarx

Create an OAuth Client in Checkmarx

  1. Log in to your Checkmarx One environment and navigate to Settings > Identity and Access Management.
  2. Go to the OAuth Clients tab and click Create OAuth Client.
  3. Provide a name and description for the client.
  4. Assign the following minimum required scopes:
    • View-applications
    • View-projects
    • View-scans
    • View-results Alternatively, you can assign a default composite role such as ast-viewer.
  5. Click Save.
  6. Securely store the generated Client ID and Client Secret.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Checkmarx.
  2. Enter a unique Integration Name.
  3. Provide the following configuration parameters:
    • API Base URL: The URL corresponding to your region.
      RegionAPI Base URL
      UShttps://ast.checkmarx.net
      US2https://us.ast.checkmarx.net
      EUhttps://eu.ast.checkmarx.net
      EU2https://eu-2.ast.checkmarx.net
      Germany (DEU)https://deu.ast.checkmarx.net
      Australia & NZhttps://anz.ast.checkmarx.net
      Indiahttps://ind.ast.checkmarx.net
      Singaporehttps://sng.ast.checkmarx.net
      UAE (MEA)https://mea.ast.checkmarx.net
      Israel (Gov-IL)https://gov-il.ast.checkmarx.net
    • Tenant Name: Your Checkmarx One tenant name.
    • Client ID: The Client ID from the previous step.
    • Client Secret: The Client Secret from the previous step.
  4. Click Test Connection to validate the credentials.
  5. Upon a successful test, click Add Integration.

GitHub Advanced Security

The GitHub Advanced Security integration uses an OAuth flow for a secure, browser-based authorization.

Configure in Sysdig

  1. From the Add SCA Integration page, choose GitHub Advanced Security.
  2. Enter a unique Integration Name to identify this connection.
  3. Click Connect to GitHub. You will be redirected to the GitHub website.
  4. Log in to GitHub if you are not already.
  5. Select the account or organization where you want to install the Sysdig app to grant access to Advanced Security Alerts.
  6. Choose the repositories to authorize for access (all or specific repositories).
  7. Click Install and Authorize to complete the installation.
  8. Upon successful authorization, you will be redirected back to the Sysdig Secure UI, and the connection will be finalized automatically.

GitLab

The GitLab integration uses an access token to authenticate. You can create a Personal, Group, or Project Access Token depending on the desired scope of access.

Create a GitLab Access Token

Create a Personal, Group, or Project access token in GitLab with the following configuration:

  • Role: Developer
  • Scopes:
    • read_api
    • read_repository
    • read_registry
  • Expiration Date: Set to the maximum possible date.

Record your access token and store it in a safe place. You will not be able to see it again after closing the window.

For detailed instructions, refer to the official GitLab documentation for Project, Group, or Personal access tokens.

Find Project IDs (Optional)

If you use a token with broad access (like a Personal or Group token) and want to restrict the integration to specific projects, you will need their Project IDs.

  1. In GitLab, navigate to the project’s main page.
  2. The Project ID is visible under the project name on the overview page or in Settings > General.
  3. Collect the IDs for all projects you wish to include.

Configure in Sysdig

  1. From the Add SCA Integration page, choose GitLab.
  2. Enter a unique Integration Name.
  3. Enter the GitLab Access Token you created.
  4. (Optional) In the Allowed Project IDs field, enter a comma-separated list of Project IDs to restrict scanning to specific projects (e.g., 67411111,67422222). This is recommended if your token has access to more projects than you intend to scan.
  5. Click Test Connection to validate the credentials.
  6. Upon a successful test, click Add Integration.

Mend

The Mend integration requires an Organization UUID and a Service User key.

Gather Credentials from Mend

  1. Log in to the Mend Platform dashboard.
  2. Click the Settings (gear icon) and select Administration.
  3. On the General Configuration screen, copy the Organization UUID and save it.
  4. Navigate to the Users tab and click Add Service User.
  5. Enter a User Name. The Email Address will be auto-generated.
  6. Click OK to create the service user.
  7. In the Users table, find the new user, click the three dots (…), and select Copy User Key.
  8. Securely store the Organization UUID, the auto-generated User Email, and the User Key.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Mend.
  2. Enter a unique Integration Name.
  3. Enter your Mend Organization UUID, User Email, and User Key.
  4. Click Test Connection to validate the credentials.
  5. Upon a successful test, click Add Integration.

Semgrep

The Semgrep integration requires an API token with specific permissions.

Create the API Token in Semgrep

  1. Log in to your Semgrep account.
  2. Navigate to Settings > Tokens.
  3. Under API Tokens, click Create new token.
  4. In the pop-up window, enable the following scopes for the token:
    • Agent CI
    • Web API
  5. Record your API token and store it in a safe place. You will not be able to see it again after closing the window.
  6. Click Save.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Semgrep.
  2. Enter a unique Integration Name to identify this connection.
  3. Enter your Semgrep Organization Name. You can find this in your Semgrep URL (e.g., semgrep.dev/manage/my-org).
  4. Enter the API Token you created in the previous steps.
  5. Click Test Connection to validate the credentials.
  6. Upon a successful test, click Add Integration.

Snyk

The Snyk integration uses OAuth2 for a secure, browser-based authorization flow. You do not need to manually create or manage API tokens.

Note Snyk EU Region Limitations

Due to differences in the Snyk API for the EU region, some enrichment data may not be available for EU-based customers. This can include fields such as remediation advice, cvss_score, and whether a fix is patchable.

Configure in Sysdig

  1. From the Add SCA Integration page, choose Snyk.
  2. Enter a unique Integration Name to identify this connection.
  3. Enter your Snyk Organization ID. This can be found in your Snyk organization’s settings URL.
  4. Click Connect to Snyk. You will be redirected to the Snyk website in a new browser tab.
  5. Log in to Snyk if you are not already.
  6. A Snyk page will ask you to authorize Sysdig to access your resources. Review the permissions and click Authorize.
  7. Upon successful authorization, you will be redirected back to the Sysdig Secure UI. The connection will be finalized automatically. The status should show as Active.

Validate the Integration

Once an integration is configured, its status will appear in the Software Composition Analysis integrations list.

  • Status: The status should be Active, indicating a successful connection between Sysdig Secure and your SCA provider. If there is an error, review your configuration details and credentials.
  • Viewing Enriched Data: Validation is confirmed by observing the enriched data in your runtime vulnerability findings. Navigate to Vulnerabilities > Findings, and select a vulnerability associated with an image that has the org.opencontainers.image.source label. It may take up to 24 hours for the enriched data to appear.

In the vulnerability details, you will now see new fields populated with data from your SCA tool:

  • Repository, URL, Branch, Commit: Pinpoints the exact location in your source code where the vulnerable package originates, including the repository name, clone URL, branch, and specific commit hash.
  • File Path: Shows the path to the manifest file (e.g., package.json) that declares the vulnerable dependency.
  • Remediations: Provides actionable suggestions from the SCA tool, such as the safe version to upgrade to.
  • Vendor Links: Offers direct links to the SCA provider’s resources, such as their knowledge base or a specific issue tracker for the vulnerability, for deeper investigation.